Daily Brief

The Monetary Authority of Singapore (MAS) has recommended that financial institutions prepare for quantum computing threats, suggesting the adoption of post-quantum cryptography (PQC) and quantum key distribution (QKD). MAS highlights that quantum computing could compromise current encryption and digital signature algorithms, posing significant cybersecurity risks within the coming decade. Financial institutions should monitor quantum computing advancements and ensure they can update cryptographic measures without disrupting current systems. MAS emphasizes the importance of awareness within institutions, especially among third-party providers and management, in understanding and mitigating quantum risks. Upgrading systems to be quantum-resistant is advised, along with implementing personnel training, setting standards, and preparing contingency plans. The advisory is likely to influence financial services across Asia, given Singapore's growing status as a regional financial hub. Industry experts support MAS's advisory, noting recent developments that show cryptographically relevant quantum computers may be nearer than expected. Cybersecurity professionals recommend early action to guard against potential "capture now decrypt later" attacks, highlighting the longevity of sensitive data's relevance.

VMware issued a warning for admins to remove a vulnerable authentication plugin, the Enhanced Authentication Plug-in (EAP), susceptible to attacks. Two unpatched security vulnerabilities, CVE-2024-22245 and CVE-2024-22250, enable authentication relay and session hijack attacks in Windows domain environments. The deprecated EAP allows seamless logins to VMware's management interfaces but has been outmoded since vCenter Server 7.0 Update 2 in March 2021. There are no current indications that the vulnerabilities have been exploited in the wild; however, VMware provides guidelines for removing or disabling the plugin. The deprecated plugin must be manually installed, and VMware recommends using alternative authentication methods like Active Directory over LDAPS or ADFS. VMware disclosed that a critical vCenter Server vulnerability patched in October was actively exploited by the UNC3886 Chinese cyber espionage group for over two years.

A new set of attacks, named 'VoltSchemer,' can manipulate a smartphone's voice assistant and cause physical damage through wireless chargers. Academic researchers from the University of Florida and CertiK demonstrate that the magnetic field from wireless chargers can be interfered with to induce harmful effects on smartphones. Electromagnetic interference is used to manipulate the charger’s behavior without physically altering the charging station or smartphone. Attack methods include overheating the phone to dangerous levels, bypassing safety standards to transfer energy to unintended items, and injecting voice commands. Experiments reveal that a smartphone can overheat to the point of emergency shutdown, while nearby metallic objects can reach temperatures high enough to cause fires or damage. In one scenario, voice commands were covertly transmitted to a phone's voice assistant, including initiating calls or launching apps. The risks exposed underscore the need for improved security designs in wireless charging technology to prevent potential misuse. The research team has informed wireless charger manufacturers of their findings to discuss potential countermeasures against such attacks.

Security researchers have uncovered a malware campaign targeting Redis servers for cryptocurrency mining using a malware called 'Migo'. Attackers exploit unprotected Redis servers on Linux hosts, deploying system-weakening commands to disable security features and facilitate prolonged cryptojacking activities. The campaign was identified by Cado Security through their honeypots, revealing the use of command-line instructions to deactivate protective configurations and exploit the server's resources. Once the Redis server is compromised, attackers establish a cron job to download and execute the primary payload, a UPX-packed ELF binary compiled in Go named Migo, from a file-sharing service. Migo’s primary purpose is to download, install, and execute a modified version of the XMRig Monero miner, establishing persistence through a systemd service. The malware includes a user-mode rootkit that hides its processes and files by intercepting system tools, complicating detection and removal. Attackers conclude the campaign by setting up firewall rules, disabling SELinux, neutralizing competing miners, and manipulating '/etc/hosts' to obstruct communications with cloud services. While the cryptojacking does not pose an immediate threat of data disruption or corruption, the access gained could potentially be leveraged to deploy more harmful payloads.

ConnectWise issued an immediate patch advisory for a critical authentication bypass flaw in ScreenConnect servers, leading to potential remote code execution (RCE). The vulnerability can be exploited without user interaction in low-complexity attacks, posing a serious risk of unauthorized data access or code execution on affected systems. High-privilege actors could also exploit a separate patched path traversal defect in ScreenConnect's remote desktop software. Security researchers at Huntress have developed a proof-of-concept (PoC) exploit, highlighting that thousands of servers are still vulnerable according to searches on Censys and Shodan platforms. On-premise ScreenConnect servers running versions older than 23.9.7 are at risk, while cloud servers on screenconnect.com have been secured. Industry advisories have previously noted that legitimate remote desktop tools like ScreenConnect are increasingly repurposed by attackers for unauthorized network access and as a means for persistent threats.

The alleged source code for Knight ransomware version 3.0 is being offered for sale by the operation's representative on a cybercriminal forum. Knight ransomware, a re-brand of Cyclops, targets a variety of systems and offers a 'lite' version for smaller-scale affiliates. Cyber-intelligence firm KELA observed the sale announcement on the RAMP forums by a user known to represent the Knight group. The advertisement promises exclusive sale of the source code, including the encryption panel and locker, to maintain its value. The seller, using the alias Cyclops, has not mentioned a specific price but insists on a deposit from reputable buyers with the transaction guaranteed through RAMP or XSS forums. Contact details for the potential transaction have been provided by the seller, adding legitimacy to the offer. Activity from Knight ransomware representatives has ceased on various forums since December 2023, and the victim extortion portal went offline in February 2024. KELA suggests that the inactivity of the Knight ransomware operation might indicate a move to exit the criminal business by selling off their assets.

Western authorities dismantled LockBit ransomware infrastructure in a coordinated effort named "Operation Cronos." The takedown included the seizure of the group's leak site, once used to publish victim information, now repurposed to reveal LockBit's secrets. The UK's National Crime Agency (NCA) controls the leak site, with countdown timers indicating when new information will be released, including the identity of LockBit's leader. Arrests have been made in Ukraine and Poland, building on previous arrests in the US and Canada. Additional indictments have been issued against Russian nationals alleged to have deployed LockBit ransomware in the US. The NCA acquired LockBit's source code and intelligence data, revealing that ransom-paying victims' data was not always deleted as promised by the criminals. Over 200 cryptocurrency accounts associated with LockBit have been frozen, and victim decryptors are being made available through the FBI and Europol's "No More Ransom" portal. Further disclosures are planned throughout the week, culminating in the unveiling of LockBitSupp's identity and insights into the gang's cryptocurrency transactions before the leak site is closed permanently.

A new malware campaign targeting Redis servers is facilitating cryptojacking by compromising Linux hosts for cryptocurrency mining. The campaign uses the Migo malware, a Golang ELF binary with obfuscation features that maintains persistence on infected machines. Migo works by disabling specific Redis server configurations to weaken security defenses and set up future attacks. It establishes persistence, removes competing miners, and deploys an XMRig installer for mining operations. Migo also disables SELinux and uses a modified version of the libprocesshider rootkit to conceal malicious activities. The campaign was discovered when unusual commands targeted honeypot instances of Redis servers, commonly used in cloud environments. While the operations resemble those of established cryptojacking groups, the exact intentions and targets remain partially unclear, demonstrating persistent evolution in cloud-focused attack strategies.

Wyze, a smart home security camera company, experienced a cybersecurity incident affecting around 13,000 users. Due to a third-party caching client library error, some Wyze customers had access to other users' camera feeds. The issue occurred following a system outage and the subsequent restoration of service, causing device ID and user ID mappings to be confused. Wyze took immediate action by revoking access to the Events tab and is implementing additional measures to prevent future incidents. Despite having a security team and undergoing multiple audits, Wyze acknowledged the incident as disappointing and contrary to their commitment to customer protection. The company is exploring new client libraries and has added extra verification layers to safeguard user-device relationships. Some Wyze users have reported feeling violated by the privacy breach, with discussions leaning towards negative sentiments and talks of review bombings across various platforms.

Ransomware groups largely rely on the cybercrime supply chain, where access to targets is purchased rather than independently discovered. Infostealer malware, which steals sensitive data like credentials and self-terminates, has seen significant growth and often results in ransomware attacks. Threat actors monetize stolen data via Telegram channels. Flare has tracked over 46 million stealer logs, with many containing corporate credentials. Initial access brokers specialize in gaining and selling access to company networks to ransomware groups and affiliates, with more than 500 entities breached in 2023. The ransomware ecosystem is expanding, with over 50 active groups and a complex network of affiliates who execute attacks and share profits. The competition among ransomware groups for skilled affiliates is intense, as demonstrated by public accusations and disputes on dark web forums. Building a Continuous Threat Exposure Management (CTEM) program is presented as essential for companies to disrupt the cybercrime supply chain and mitigate threats. Flare offers a Continuous Threat Exposure Management (TEM) solution for organizations to detect, assess, and mitigate cyber threats, integrating with security programs to enhance defenses.

German-based PSI Software SE experienced a ransomware attack impacting its internal infrastructure. As a global software service provider for energy suppliers, PSI specializes in control systems and operational management solutions. The company initially reported a cyber incident on February 15, leading to the shutdown of various IT systems, including email. PSI Software subsequently confirmed the nature of the disruption as a ransomware attack, although the entry point remains unidentified. Investigations have not found any indication of the attack spreading to customer systems. Authorities are involved, with support from the Federal Office for Information Security. Ransomware group Hunters International has taken credit for the attack, claiming to have filched over 36,000 files (88 GB). The legitimacy of Hunters International's claim, including the data theft, is yet to be verified, highlighting the ongoing threat of ransomware-as-a-service operations.

Cybersecurity experts detected two harmful packages on Python Package Index (PyPI) that used DLL side-loading to run malicious code and dodge antivirus detection. The packages, NP6HelperHttptest and NP6HelperHttper, mimicked legitimate software tools related to ChapsVision's marketing automation solution. These packages were downloaded more than 700 times collectively before being removed from PyPI. They included scripts that downloaded a vulnerable executable and a malicious DLL, thereby side-loading the latter to conceal their true nature. The injected DLL communicated with a controlled domain to retrieve a Cobalt Strike Beacon, indicating an advanced persistent threat. This incident underscores the growing risks associated with software supply chain security, particularly concerning open-source repositories. Developers and organizations are being warned to remain vigilant against such sophisticated impersonation and side-loading tactics in repository ecosystems.

International law enforcement has arrested two LockBit ransomware operators and issued further arrest warrants and indictments. A decryption tool has been created and released to help LockBit victims recover their encrypted files for free. In a coordinated effort named Operation Cronos, police have seized over 200 crypto-wallets and compromised LockBit's primary infrastructure. Europol's intervention has led to the takedown of 34 servers across eight countries and identified over 14,000 rogue accounts linked to cybercriminal activities. The joint action included national agencies such as the U.K.'s NCA, Europol, the FBI, and law enforcement from other countries, underscoring the global approach to combating ransomware. Over 1,000 decryption keys have been retrieved, which have been used to develop a free LockBit 3.0 Black Ransomware decryption tool, now available through the 'No More Ransom' portal. The exact amount of cryptocurrency in the seized wallets is unclear, but there is potential for ransom recovery similar to past FBI efforts. Law enforcement has gained a significant amount of data about LockBit's operations, which will aid in ongoing and future actions against the group's leadership, developers, and affiliates.

Operation Cronos, led by the U.K. National Crime Agency, has successfully dismantled the LockBit ransomware operation and arrested key criminals. Two LockBit affiliates have been arrested in Poland and Ukraine, while indictments have been issued in the U.S. against two Russian nationals for LockBit ransomware attacks. Authorities obtained LockBit's source code, intelligence, and over 1,000 decryption keys, assisting victims in recovering their encrypted files. Over 200 cryptocurrency accounts associated with LockBit have been frozen, and the group's infrastructure, including affiliate servers and data leak site, has been taken down. The operation has damaged LockBit's credibility and operational capability, despite the possibility of the group attempting to rebuild its criminal enterprise. The ransomware group, operating since 2019, has affected more than 2,500 victims globally and amassed over $120 million from their illegal activities. A free decryption tool has been made available to victims through the No More Ransom project, offering relief without the need to pay ransoms.

Law enforcement agencies have made arrests and seized infrastructure in an international operation targeting the LockBit ransomware gang. Two LockBit operators were arrested in Poland and Ukraine, and authorities issued several international arrest warrants and indictories. Agencies from multiple countries collaborated in the operation, leading to the takedown of 34 servers and the control of LockBit's critical infrastructure. Law enforcement has developed a decryption tool to aid LockBit victims, available via the 'No More Ransom' portal. Over 200 crypto-wallets were seized which may result in the possibility of ransom payments recovery for some victims. A significant amount of LockBit's operational data was collected, aiding in continued efforts to dismantle the group and target its leaders, affiliates, and frameworks. LockBit's affiliate panel and dark web leak sites were confiscated, sending a strong message to affiliates and their criminal network.